[ previous ] [ next ] [ threads ]
 From:  Denny <denny at mypolaris dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] captive portal and wireless repeater (wds) problem
 Date:  Fri, 21 Apr 2006 16:06:58 +0700
On 4/13/06, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> From: "dny" <mail2dny at gmail dot com>
> > On 4/8/06, Lee Sharp <leesharp at hal dash pc dot org> wrote:
> >> From: "dny" <mail2dny at gmail dot com>
> >> > i'm pretty sure it didnt do any natting.
> >> > and these facts support my believe:
> >> > - all wireless clients can ping each other, and firewall can ping to
> >> > all clients, regardless which ap/repeater they connect to.
> >> > - all clients can ping to firewall
> >> > - all ip is in same network/subnet and retrieved by dhcp from firewall
> >> > - the firewall settings already disabled from all wireless ap/repeater
> >> > gui
> >> > - windows network neighbourhood can see all computers, regardless
> >> > which ap/repeater they connect to.
> >> > all my wireless is linksys wrt54g flashed with ddwrt firmware.
> >> If you can, flash to Tofu.  It does the client connection better...  And
> >> WDS
> >> may not be properly proxying your MAC address, which would cause this
> >> problem.  Try setting one in client mode, and connect to the ethernet
> >> port.
> >> If it works, it is a WDS thing.
> > so, in my case, there's no way i can use captive portal??
> Yes there is, but you may have to do some additional steps, or use some
> extra hardware.
> > did you tried tofu firmware with wds? can it really works?
> > i really cant try it yet, since all my wrt54g unit is in use.....
> I only tried it in client mode.  It works in client mode.  I am using it
> now.
> > also, another problem with captive portal.....
> > it seems that captive portal lock the login with mac address.
> > so, when A connect and login correctly, and then didnt logout but just
> > turn off the pc.
> > then B steal the A's mac address and then he can use the internet without
> > login.
> This is how it works.  Authentication is based on mac.
> > so, imho, it's better use other method perhaps cookies or something
> > else to identify the real computer instead of using mac address.
> Because no one could fake a cookie...  Nothing is perfect.  For more
> security, use VPN to access the internet...
>                         Lee

i think the problem probably with the captive portal.

because, yesterday i have a chance to try out engenius wsr3800
(a hotspot system with built in authentication system / captive portal)
and try using the same wireless repeater (wds) and same firmware (ddwrt),
it works out fine.
the unit can authenticate all clients even if client connected to repeater.

also, when i check arp tables and dhcp leases table in monowall, both
show up correct clients' mac and ip address.

captive portal is the only one that cannot see the real client's ip address.



--- http://bloglines.com/public/bacaan --- harini udah baca blom?

... they look but do not see and hear but do not listen or understand. Mat 13:13
... but that which cometh out of the mouth, this defileth a man.   Mat 15:11